[cifs-utils/f16] Add patch to enable PIE and RELRO
Jeff Layton
jlayton at fedoraproject.org
Mon Jul 9 14:34:17 UTC 2012
commit 9ed8cfe64c066b44ae46641692b34cc3c8579f46
Author: Jeff Layton <jlayton at redhat.com>
Date: Mon Jul 9 10:33:32 2012 -0400
Add patch to enable PIE and RELRO
Signed-off-by: Jeff Layton <jlayton at redhat.com>
...-autoconf-add-enable-pie-and-enable-relro.patch | 83 ++++++++++++++++++++
0001-automake-revert-Werror-by-default.patch | 31 +++++++
cifs-utils.spec | 10 ++-
3 files changed, 123 insertions(+), 1 deletions(-)
---
diff --git a/0001-autoconf-add-enable-pie-and-enable-relro.patch b/0001-autoconf-add-enable-pie-and-enable-relro.patch
new file mode 100644
index 0000000..3421a67
--- /dev/null
+++ b/0001-autoconf-add-enable-pie-and-enable-relro.patch
@@ -0,0 +1,83 @@
+From 60a8e227c1351dbe96e54d066daafcfa1158e432 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Mon, 9 Jul 2012 10:12:33 -0400
+Subject: [PATCH] autoconf: add --enable-pie and --enable-relro
+
+-pie and -fpie enable the building of position-independent executables,
+and -Wl,-z,relro turns on read-only relocation support in gcc. These
+options are important for security purposes to guard against possible
+buffer overflows that lead to exploits.
+
+Follow the example of samba here and enable these by default, but add
+configure options that allow people to turn them off at build-time if
+necessary.
+
+We may also want to eventually add checks to ensure that the compiler
+and linker understand these options, but I'll wait until we have some
+evidence that it's needed before I expend the effort.
+
+Reported-by: Andreas Schneider <asn at samba.org>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ Makefile.am | 2 +-
+ configure.ac | 27 +++++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+), 1 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index b412262..0d0b599 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,4 +1,4 @@
+-AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
++AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 $(PIE_CFLAGS) $(RELRO_CFLAGS)
+ ACLOCAL_AMFLAGS = -I aclocal
+
+ root_sbindir = $(ROOTSBINDIR)
+diff --git a/configure.ac b/configure.ac
+index 0dd1155..a8d0bbc 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -10,6 +10,18 @@ AC_CONFIG_MACRO_DIR(aclocal)
+ AM_INIT_AUTOMAKE
+
+ # "enable" options
++AC_ARG_ENABLE(pie,
++ [AC_HELP_STRING([--enable-pie],
++ [Produce position independent executables @<:@default=yes@:>@])],
++ enable_pie=$enableval,
++ enable_pie="maybe")
++
++AC_ARG_ENABLE(relro,
++ [AC_HELP_STRING([--enable-relro],
++ [Enable relocations read-only support @<:@default=yes@:>@])],
++ enable_relro=$enableval,
++ enable_relro="maybe")
++
+ AC_ARG_ENABLE(cifsupcall,
+ [AC_HELP_STRING([--enable-cifsupcall],
+ [Create cifs.upcall binary @<:@default=yes@:>@])],
+@@ -82,6 +94,21 @@ AC_CHECK_HEADERS([arpa/inet.h ctype.h fcntl.h inttypes.h limits.h mntent.h netdb
+ AC_CHECK_HEADERS([sys/fsuid.h])
+ AC_CHECK_FUNC(setfsuid, , [AC_MSG_ERROR([System does not support setfsuid()])])
+
++# FIXME: add test(s) to autodisable these flags when compiler/linker don't support it
++if test $enable_pie != "no"; then
++ PIE_CFLAGS="-fpie -pie"
++else
++ PIE_CFLAGS=""
++fi
++AC_SUBST([PIE_CFLAGS])
++
++if test $enable_relro != "no"; then
++ RELRO_CFLAGS="-Wl,-z,relro"
++else
++ RELRO_CFLAGS=""
++fi
++AC_SUBST([RELRO_CFLAGS])
++
+ if test $enable_cifsupcall != "no"; then
+ AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
+ if test x$ac_cv_header_krb5_krb5_h != xyes ; then
+--
+1.7.7.6
+
diff --git a/0001-automake-revert-Werror-by-default.patch b/0001-automake-revert-Werror-by-default.patch
new file mode 100644
index 0000000..49cf121
--- /dev/null
+++ b/0001-automake-revert-Werror-by-default.patch
@@ -0,0 +1,31 @@
+From 74edf24d9780900f3ce15d2403c6e331b031d454 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Thu, 14 Jun 2012 10:59:18 -0400
+Subject: [PATCH] automake: revert -Werror by default
+
+I think in hindsight, that adding -Werror by default was a mistake.
+cifs-utils is built in a wide range of environments and tools, and it's
+very difficult to eliminate all of the possible warnings.
+
+Let's go ahead and remove it and reduce the steady trickle of patches
+that are simply to silence obscure warnings.
+
+Cc: Suresh Jayaraman <sjayaraman at suse.com>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ Makefile.am | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 05729ca..b412262 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,4 +1,4 @@
+-AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2
++AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
+ ACLOCAL_AMFLAGS = -I aclocal
+
+ root_sbindir = $(ROOTSBINDIR)
+--
+1.7.7.6
+
diff --git a/cifs-utils.spec b/cifs-utils.spec
index ea06b2f..01a3020 100644
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@@ -3,7 +3,7 @@
Name: cifs-utils
Version: 5.5
-Release: 1%{pre_release}%{?dist}
+Release: 2%{pre_release}%{?dist}
Summary: Utilities for mounting and managing CIFS mounts
Group: System Environment/Daemons
@@ -12,6 +12,8 @@ URL: http://linux-cifs.samba.org/cifs-utils/
BuildRoot: %{_tmppath}/%{name}-%{version}%{pre_release}-%{release}-root-%(%{__id_u} -n)
Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
+Patch1: 0001-automake-revert-Werror-by-default.patch
+Patch2: 0001-autoconf-add-enable-pie-and-enable-relro.patch
BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake samba-winbind-devel
Requires: keyutils
@@ -26,6 +28,8 @@ file system.
%prep
%setup -q -n %{name}-%{version}%{pre_release}
+%patch1 -p1
+%patch2 -p1
%build
%configure --prefix=/usr
@@ -55,6 +59,10 @@ rm -rf %{buildroot}
%{_mandir}/man8/mount.cifs.8.gz
%changelog
+* Mon Jul 09 2012 Jeff Layton <jlayton at redhat.com> 5.5-2
+- remove -Werror flag
+- enable PIE and RELRO
+
* Wed May 30 2012 Jeff Layton <jlayton at redhat.com> 5.5-1
- update to 5.5
More information about the scm-commits
mailing list